This website uses cookies to improve your browsing experience. By continuing to use this website you consent to the use of cookies in accordance with our cookie policy. To find out more, click on this link:
Read MoreAllow Cookies

In This Section

Cyber and Data Protection

New Agreement Reached For Data Transfers To The U.S. – Deal Or No Deal?

February 2016

After Safe Harbour was invalidated at the end of 2015 in the Schrems decisions, a deadline of 31 January 2016 was set for agreement to be reached between EU and US authorities on an alternative mechanism for transfers of personal data to the US. With the prospect of enforcement action looming and with high profile U.S. companies likely to be first in the firing line, a much welcomed announcement came on 2 February that a new framework called “Privacy Shield” has been agreed for transatlantic data flows.

Before organisations celebrate the replacement of Safe Harbour too soon, however, the Article 29 Working Party has released a statement that it is awaiting the final text before it can consider the implications of the new arrangement and will then only determine whether Privacy Shield answers the wider concerns raised by the Schrems judgment.

The Working Group’s statement makes clear that it still has concerns on the current U.S. legal framework in relation to what it terms the “four essential guarantees” required by EU law for intelligence activities.

The Working Group has called for all documents relating to Privacy Shield to be released to them by the end of February, at which point it will then complete its assessment of personal data transfers to the U.S. This will include the findings of the Working Group’s review on the validity of alternative transfer mechanisms such as standard contractual clauses and binding corporate rules.

The Working Group statement clarifies that in the interim, these alternative transfer mechanisms can still be used by organisations. The statement also reiterates that since the Schrems judgment, transfers to the U.S. cannot take place on the basis of the invalidated Safe Harbour arrangement and cautions that EU data protection authorities will deal with related cases and complaints on a case by case basis.

Although the Working Party’s approval is not required by the Commission for the implementation of Privacy Shield, any criticism of the arrangement will increase the likelihood of further legal challenges.

Although this is a major milestone in the wake of Schrems, the new arrangement is not a done deal yet and is certainly some way off being finalised or implemented. For now, organisations will have to continue relying on alternative transfer mechanisms and keep the situation under review for the outcome of the Article 29 Working Party assessment.